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Background Of The Invention 
K..<»ness is a b.io ^ weU-^o™ .ool in »an, discipi^es of scieno. 
3„a .ecHnoio., finds appUcU.. in fi.ds sue. as oo»nnni«.«<»s. da. 
security, access ooattol. and processesbased on chaosiheory. 

^so^e systems, such as«.oppinsbaseds>^.0.->sa need 

identic, and sin— tando„»ess a. different ^ote locations. 

, J thf remote locations is preferably 
Fnxthennore. a random result employed at the remote 

c„nfiden.ia.andu^o.ntoanuna„.h«izedP»^- «esinclude 

(,,^.ey data encryption methods.tawhich both eommunica^nsparues 

.eedtohavethesamesecretkey.whiohistypicaUyarandomlcy; 

(«> remote access control, h. ^oh a distant operator needs to have *e same 
. ^sword . that installed in a -machin. .0 be accessed - this pass^or^ 

preferably arandompassword;aad 

(iii) chaos processes which are executed remotely. 

Encryption, in partioular. is a necessary too. in electronic communications. 
„hereind=.ofhishlysensi.ivecontentispropasatedt.oushpubUcnetwor.. An 
.0 idealdatasecuritysystemus^encrypUontechnolo^asthe^eipletoolshould 

be able to provide fte follovring three features: 

^vide identiaca^on and authentication of the data source and 
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destination, 

2) prevent unauthorized access to the data, and 

3) protect the data from unauthorized tampering. 

Generally speaking, encryption involves ti^g a meaningfol series of data 
5 into a meaningless and apparentiy random sequence. Recovery of the original 
n^eaningfUl sequence is only possible with certain additional information. Certam 
encryption systems allow a receiver of data to determine that the data has been 
altered following encryption. Likewise, certain ways of using encryption keys 
allows for electronic signature of the data, so that ti.e receiver of ti.e data is able to 
,0 be sure who the sender is, and suitable use of ti.e electronic signature allows both 

parties to be sure of the other parly. 

The vast majority of encryption systems include two components, an 
algoritinn, or enc^tion method, and a key, which, generally speaking, contains 

values to be used at various steps in the algorithm. 

Forthemostpart,i.ealgoritinnsusedinencryptionsystemsareknown. l^e 

exceptions are in certain government applications, and generally it is very 
inadvisable for an encryption system to rely on Ihe secrecy of the algorithm. Ihus, 
the security of most encryption systems lies witiithe secrecy of the key. 

*-^r. r«^thnds mav be classified into groups as 
Generally speaking, encryption metiiods may oe w 



20 follows: 



sy^neMc key) encryption. - as opposed » asyn.ne«ic (public key) 

encryption, 

^dom (one time pad) encryption. - as opposed to algoriflnnic encryption. 



PCT/IL02/00571 

WO 03/009513 

block enciphering, as opposed to stream enciphering, etc. 
However, in each case, in the broad sense outimed above, in order to obtain a 
closed solution having all feat^es of data security, there is the need to share secret 
information m order for the system to work 
5 Approaches for breaking into encryption systems to allow unauthorized 

access to the data, may be grouped into four. They are: 

1. Reverse engineering 

2. Cryptanalysis and mathematical methods, 

3. Tape and retransmit, 

4 ExploitatiGn of human weakness. 
TT^e above approaches are often used m combination and in general, 
secure encryption has to be based on the assumption that any key. after being used 
for a certain amount of time, will tend to become known. Secure communication 
thus requires frequent changes to the key. In particular, as available computing 
1 5 power is growing, key Ufetime is becoming shorter and shorter. 

m process of regularly changing keys is known as key marxagement, ^d 
key management is thus becoming a more and more important part of encryption 

and secure communication. 

men using synHnetric encryption systems, the exae. sme key is needed at 
20 both parties «.d thus key management involves .he .^nsftr of fl.e k^ 6om one 

party to anotfaer. 

When using asymmetrie systems, key changeover is simpler. If <Me party 
changes his key. then internally he changes his private key. which is needed for 

3 
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reading an, messages. He th» only has to — t ^ public Uey. wM* does .o. 
need U. be kept secret Tbe pubUc key is needed for encryption b». is completely 
^eless for decypUon of message. However, even in the case of asyn^emc 
there ren^ins .be issue of changeover occurrence. ,f one party star, to 
5 ose the key before me other, .ben therein be a Short period of unirrtemgible 

conversation. Furthermore. «hen one party receives a new key. be needs.to be sure 
.hat me key be has received indeed comes ftom *e ote party and not ftom an 
eavesdropper. Generally, asymmebic use a system of mu.^.y exchanging 

keys so that they are able to rely on each o«,er. NeverU,e.ess. difficulties remab., 
,0 for example where authorized parUes lose syncbronizadon a. the crucial moment of 
key exchange, 

one approach in k^ management involves ^ use of a trusty *itd party, a 

.o-called certificate auflrority. The certificate auflrority manage, key changes for all 
However.,beuseofacer.ificateaumori,ydoesnotac.ua«ysolveanyof 

15 .hekeymanagementproblemsassucb,itsb«plymovestirem.ano««nesb«e. 

Tt^ modem secure communication essentiaUy. is a question of key 
n^men. and the key management issue may be summed up by ^ « 

Statements: 

Communication security relies on secret mformation (fee key). 
A secure communication sy^em may be regarded as a chain, and the level of 
securiV provided is that of the weakest link in *at chain. 
The more a key has been used fee less secret it is. 

Computmg power increases a. a steady rate, and as that power increase, so 
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a„. Ufe..e of .h. .e, decease. .o. .«.uen. 

changing of 4c key or the use of compatationally more complex keys. 

regular exchange of keys necessl^^ by above m„s. he carried out 
«ifl,o»t giving any mformation avvay to eavesdroppers. 

current key management systems include two major categories, the master 

^ . key hierarchy in which heavy master keys are used for secure transfer of 
^ession keys, which session k^ are used for the encryption of the hulk of the 
c^unicated data. The apprc^ch fails to solve ht depth any of the prohlems 
,0 discu3sedahovesinceweaknessesassociatedwiththe.ower,evelsessi«nkeysare 

^^.mnsferredto^rehigherlevelmasterkeys. Whilst it is true that it is harder 
.oraneavesdroppertodcalwiththchigherlevelkeystheapproach^notprovide 

, • in security level since the higher level keys are not 

any conceptual mcrease m secuniy re 

generally changed- 

T,.e public key approach to key m^agement is shnply to exchange 
puhlickeysathtterva.. In genera, the puhUc key is a computationally intensive key 
.„ generate, and is regarded as being compu«^onaUy intensive for decryption and 
^^U^ekeysarenotchangedregularly. However, it should he home h, mind that 

^ computational effort to break the key is important only to one out, of the four 
.0 me.hodsforbreakingthesys.em,andindeedisofnoimportanceata.it„thereverse 

^.ng and human weakness approaches or to hackh^ whi* the 
eavesdropperattemptstoenteracomputersystemandohtainthekeys. B,us.«.lure 

.o carry out reguiar key exchange even in public key encryption systems .s here 
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regarded as a mistake. 

AS mentioned above. «,e public key sy^em reUes for «.e user identification 
^„fti.eKeyWeronan.ut„alicey transfer «*eachsidensinghispriva«.ey 

.„ Sign the message. Tl>e identi6<^c« step n»y be carried ou. wi* the beip of a 
certificate an^ority acting as a trusted ti^d party. However, in eiti^er ease, the 
oo^putationa. complexity of generating new .eys togetirer «i.h tire identification 
needs. n>anagemen. effort and adn^inistration ^ discourage effective key 
^agemcnt practice and key exchange using tire pubUc key system boils down » 

practice to using a fixed key. 

to order for a key be secure, it requires an element of unpredicti>biU.y. For 

^^ers. if ti.e prime numbers ti.emselves. ftom which the key is built are in any 

way predictable, tire RS A key is not secure. 

Keysorkcy systems for encrypted data as described above, preferably rely on 

5 random processes for tireir creati^r. Autirorized parties .0 a given communication 
must have compatible keys. However it U prefena,le to avoid sending keys, botir m 
order to avoid interception, and ro make tire encryption process itself simpler ^d 
ftster. The sendhrg of keys is especi^ risky in ti.e case of symmetric key systems 
where tire key transmitted is ti>e key needed for decrypting tire message. Also tire 
20 sendingofkeysde,ays.hecommu„icationpr<«ess. Preferably, tirerefo^. .he .deal 
key management sysUm should allow users to produce the same random key 
independentiy. ,f tire key is to be generated using a random process, however. ti.en 
two parties cannot conventionally generate tire same random process separate^. 



PCT/IL02/00571 

WO 03/009513 

because if i. can be exactiy «pea,ed *cn « cannot be random. Indeed a>e abUi^ .o 
^produce the process defies «>e definition of randomness, and no process fl>a, can 
be rq)eated may be truly random. 

A particular envi«.nment in «hich encryption is important is the Internet 
5 increasingly, the Intemet is becoming the forum for business and o^er transactions 
io which confideafiality is necess^y. GeneraUy, over the Internet, most use« 
expect enoryptionto work subs«mtially transparently, a. the very leastnot to hold up 
communication. The communication itself t^es place over an open channel in 
which dau. is passed ftom one node to another and may actually be stored on 
10 intermediate nodes where it can be accessed later by eavesdroppers. An efficient 
system of key management, which does not slow down communication and also 
aoes not leave keys lying around on intermediate In,«net nodes, is therefi.re needed. 

Current app«.ches for providing simultaneous availability of random result, 
may be grouped into two general families of solutions: 
,5 (i) generatingrandomnessatone party, and sending it «. the other party; and 

(ii) using a pseudo random process at both parties. e.g.. a PBNG (Pseudo 
Random Number G«,erator) which gives the same random bit stream as an output at 
both ends if fed by the same input seed. 

The above approaches are limited because both the key and .he seed may be 
20 intercepted by an unauftorized party. U«er approach is demonstrated by. for 
example. U.S. fat. No. 5.703.948. in which a system and method are described, for 
transmitting encrypted messages between two parties, wherein the encrypting key is 
generated by two state machines, one at each party, which state machines are both 
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identically toitialized. The state machines dynamically produce changing keys, by 
using, each time, some «ndomly selected bits of a message as seeds for the next 
key. Tbe machines at both ends are synchronized by using the same seed bits each 
time, «>ereby producmg the same keys at bodt ends. Apparently, the parties have to 
5 worry about the confidentiality of the initial seed and of «.e dynamically changing 
seeds during the couise of the message. 

Tiere is thus required a system of randomly setting encryption keys 
identically a. remote locations wh«ein the random data for se«mg the keys, and 
eertamly the keys themselves, are not available ^ an eavesdropper. It would further 
, 0 be advantageous if such a system were to include the other listed regents of an 
encryption system, namely allowmg for m««al identificaUon between users and a 
way of recognizing whea.er data has been interfered wifl, en route. A preferred 
Should also include a way of checking on synchronization and a way of 

restoring syuchronization m fte event of synchronization loss. 
,5 to the context of muh^lidenUfication and mamtenance of synchronization. 

Terence is made to the Byzanfine a^eement problem. 

T^o remote armies. A and B. approach ftom difftren. directions to besiege . 
powerful city. Neither »ny alone is powerful enough to overcome the city and 
should it appear on a>e ba«lefield alone it will be destroyed. Only if both armies 
20 appear simultaneously and ftom opposite directions is there any chance of success. 

-me overaU commander, located with am>y A, has to coordinate an attack, 
but has at his disposal dispatchridersashisonly means of eommunication. 

me overall commander thus sends « message to the commander of Army B. 
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^ dispatch rid«. Which conveys toe of and for the intended attacK. 

However, having sen. fl.e message by a conriet. the connnandet of an„y A cannot 
^ oe-ain that the message has reached its destinaaon. (and if it has. that it has no. 

^ta^etedwi^onthcway). logic dic..es «»t he wiU no. a«a* due to 

5 Us instinct for self-preservation. 

Having received the message, fl>e commander of Army B is faced with the 
«„epr„blem.hecanno.becertain*a. the content of the message isrea.andma.it 

indeed comes ftom his auy. could be a false message sen. by Are «.em, and 
i„^dedtolnrehim«.bisdes.rucaon. Fnrmermore. he Imows tha. commander A 

,0 has ^ instinct for self-preservation which is no less real than his own. T.^ he 
^assumefta.Awinno.attackandhencehe«H,.doesno. attack. 

Furme^or^ he knows that his ally, the commar.der of army A, wiU be feced 
d.e same dilemma when receiving his aCmowledgemen. and is anlUceiy to 
lannc^anauackonthebasisofthls information. AnnyB. in any case sends back to 
« Am.y A an acknowledgment message, of the time of and directions for of the attack. 
Army A receives the acknowledgement but also cannot be sure that the 
^owledgement is genuine and has not been sent by the enemy to lure them to 

A nf R's instinct for self-preservation, 

their destruction. Furthermore, A knows of B s mstmc 

Bearingthisinn^d,ar.yAn.ustassnn.ethatarn.yBwinnot l^e 

.0 Situation is not improved however .any f^er ronnds of aclcnowl^^^^^^^^ 

n„t That is to say, having sent the acknowledgment 
confirmation are earned out. inat is lo i><ty> 

message, bo* anny A and army B keep f^S <^ same dUemma of not being able 
,oass™ne*a.fl.eo*erwiUa«ack^d,.a.esu«. an attackwiUneverbe launched. 

9 
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T^e "Byzantine Agreement Problen,", is a .ogid dilemma fl>at is 
^.evan. when m«»la«d into modem oommunicatioos. especially when 
eonsideringforexample, open communicaao„»odess.chas*eln.eme, Which 

^ exposed .o hackers, imposes etc. and « errors and brea.cs in 

commimications. 

The issues that flns logical dilemma presents, and need to be solved are (i) 
^chronization; (ii) sim« (iii) idenafication; and (iv) authentication. 

At the basis of the problem lies the feet that at any given step, one 
pany ..ows less than the other, and there is a lag between the .knowledge of the 
5 pa^es (about the sinaation of one party in tega^-^^o'-O-"--"''"'^ 

mutual understanding) 

■n. Byzantme agreement problem thus raises «.e Mowing issues, 
.^chronization. simultaneity, ideotificatic.. and auttren.ica.ion. The roc. of the 
p^hlem is ttrat at any given leg of dre communication procedure, one party leads 
« andonepar.y.ags.evenifbynanoseconas.,husleadingtoscopefordisp»teandto. 

impersonation. 

^e depth of the s«b.em may be demonstrated by iUustrathrg two 
approaches that have been used in attempted solutiorK in the past 

1) aock timing synchromzaHon. Each par^ has an identically set clock. A 
ie pa^me^r Changes a. predetermined clocK settings, unfortunately the «.o Clocks 

_<«be set so accurately with respect to one anod^erthat^odisputeoccu^ at any 
Even a difference of nanoseconds can lead to dispute over some of the data. 

2) synchronization by announcement. A parameter change is made upon 
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receipt of a predetenoined am.o»noen.ent. Unfortunalely. ftis ^ch beg3 the 
essence of the Byzantine agreemem problem, since I do not knovv Aether the 
other side has received the anno^tcentent. or whether « origtoates from a legitin^te 
source at all. 

5 -mere is thus a widely recognized need for. and it «ould be highly 

advantageous to have, a simple and practical way to produce identical ongoing 
randomness at separate and remote locations, that is confidential m na«,re and 
which enables a mode of co«nunlcatio„, syncteonization or authentication between 
.wo parties that is not vntoerable to the logical dilemmas of the By«».ine 

10 agreement problem, and which may provide a comprehensive solution to secure key 
management. 

SviramJffy of the Lovention 
According to an aspect of the present invention there is provided a system 
,5 and apparatus for utilization, for setting encryption keys, by remotely located 
parties, of a mutually remotely located random data generation process, fteferably. 
are remotely located random data generation process generates a large amourt of 
random da«. and two parties secretiy share starting mfom>ation tellmg them 
where to look initially for random data from fl.e process. Tte parties each have 
20 identically set arrangements for using fte current random data to select tire next 
required random data from the process. 
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to an ^.abodtoent. the remotely locat«l random data process j^eferably 
^ a plurality of individual random proces.es and a means for the parties to 
respectively select the same one of the plurality of processes at an, given time. 
Data from previous processes is used subsequently to select new processes in such a 
5 way that the process selection remains confidential to anyone eavesd^ing on the 
remotely located random process itself. 

Moreover, the process foUowing comprises feautre fl«t allow for correct 
worldng even in noisy and/or other less than perfect conditions. The system 
comprises a working synchronizattou feature for allowing the parties to be sure that 
10 they are in synchronizatioB with each other and, when synchronizaUon loss is 
detected, there is a resynchronization method which redirects each party to a same 
new random pr^ess. The unique synchronization technique and resynchronization 
fean«s provide for a stable communication system that preferably overcomes the 
difBcuiaes represented by the Byzantine agreement problem. 
« According to a first aspect of the p«^t invention ftere is thus provided 

apparatus for use by a first party for key management for secure communicatioh 
with a second par.,. a>e key man^ement being to provide a. each party, 
simultaneously remotely, identical keys for the secure communication without 
tonsfening the over any communication liifc tte apparatus comprising: 
20 a datastream extractor, for obtaining from data exchanged between the 

parties a bitstream. 



12 



PCT/IL02/00571 

WO 03/009513 

a random selector for selecting, ftom the bitstieam, a series of bits in 
,^ce with a randomization seed^ by .he data exchanged between the parties, 
a key generator for generating a key for encryption/decryption based on the 

series of bits, 

5 thereby to manage key generation in a manner repeatable a. the parties. 

Preferably. ^ random selector is operable to use results of the 
randomization as addresses to point to bits in the datastream. 

Preferably, the key genera«>r is c^le to generate a new key after a 
predetermined n«n*er of message bits have been exchanged be^veen the parties. 
,0 Preferably, the predetermined n»nber of message bits being substantially 

equal to a length in bits of the key. 

appara,^ preferably comprises a control messager for sending control 
messages to the remote party, flrereby to indicate U. the remote party a state of the 
apparatus to enable the remote party to determine whemer the remote party is 
15 synchronized therewith to generate an identical kQT. 

Ihe apparat. preferably comprises a synchronized state detenniner. for 
detennining ftom control messages received ftom a remote party whether the 
app^ is synchronized therewith to generate an identical key. 

Tire apparatus preferably fi^ther comprises a resynchronizer. associated with 
20 the synchronous state determiner. «.e resynchronizer havir-g a resynchromzation 
random selector for selecting, ftom a part of fl.e bitstream previously used by the 
random selector, a series of bits in accordance with a randomization seeded by the 
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^ exchanged between *e pa«ies.. in *e event of detetnunation of 
synchronization loss, thereby to legain synchronization. 

Prefer^ly, the series of bits U a series of bits previously used by the random 

selector. 

preferably, .he control n.essager is operatively connected to the synchronous 
state detertniner. thereby to include within the control messages a detem^ation of 

synchronization loss- 

P.fena,ly. 4c control messager is operatively connected with the 
^chr^uzer. u. control the resynchronizer to carry out the selection in the event 
no of receipt of a message front the remote party «».*e-ote party has lost 

synchronization. 

Preferably, «>c data communication is arranged in cycles, the part of the 
bitstream being exchangeable in each cycle. 

Preferably, the cycle is arranged into sub-units, each the cyde havmg an 
15 exchange point at its begimung for carrytog out the exchange. 

fteferably. the messager is usable to exchange control messages with the 
^ote party to ensure that . s«ne bitstream part is used for resynchronization at 

both the partis. 

P^ferably, the messager is usable to vary a cot-rol message in accordance 
20.. with a sub-cycle current at a synchronizaUon loss even, «>ereby to control the 
remote parly to resynchronize using a same bitstream part 
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teferably, apparaWs is operable to respond «> messages sent by a remote 
party fonowtog the syBohronization loss even, to revert to same the bitstream par. 
as (he message mdicates that the remote party mtends to use. 

The apparatus preferably comprises eircaitry for determining which of itself 
5 and the remote party is a transmitting party and being operable to control the 

synchronization «hen it is a «ansmi..ing party and to respond to control commands 
of .he remote party when the remote party is the transmitting party. 
Preferably, the synchronized state determiner comprises: 
. calculation circuit for carrymg out an irreversible calculation on any one of 
1 0 me bitstream. .he randomization. U.e key and derivaHons thereof, and 

a co-^parator for comparing a resul. of dae calculation with a result received 

from the remote party, 

hereby todeterminewheaier die parties are in synchronization. 

Preferably, me irreversible calculation comprises a one-w^ ftnetion. 
,5 Preferably, die system is operable to provide icey management for a 

symmetric cryptography algorithm. 

J„ a preferred embodhnen, the apparatus is consmtcted modularwise such 

that the <wtography algoriftm is exdiangeable. 

According .o a second aspect of the present invention there is provided a 
20 system for providh^ key management between at least two separate parties. ti.e 

system comprising 

a primary bitstream for exchange between the parties, 

and at each party: 

IS 
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a selecu^ for randomly selecting, a. predetemrined selection intervals, parts 
of the primary bitstream to form a derivedbit sour^ each selector being operable to 
use the derived bit source, in an identical manner, to randomize the selecting, and 

a key generator for generating cryptography keys at predetermined key 
generating intervals using the derived bit source of a corresponding selection 
interval. 

Preferably, the primary bitstream is obtainable as a stream of bits ftom a data 
communication process between the two parties. 

Preferably, the bits in the primary bitstream are separately identifiable by an 
addr^s. and wherein the selector is operable to select the bits by random selection 

of addresses. 

Preferably, each selector comprises an address generator and each address 

generator is identically set. 

Preferably, the system ftrther comprises a controller for exd.angmg control 
5 data between the pardes to enable each party to determine 4a. each selector is 

Operating syncharonously at each party. 

Preferably, the control data includes any one of a group comprising: 

redundancy check data, and 

a hash encoding result, 
>0 ofatleastsomeofthebitsfromthederivedbitsource. 

Preferably, die control data includes any one of a group comprising: 
redundancy check data, and 
a hash encoding result, 

16 
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of at least some of the bits of the randomization. 

Preferably, the control data includes any one of a group comprising: 
redundancy check data, and 
a hash encoding result, 
5 of at least some of the bits from the key. 

Preferably, the control data includes any one of a group comprising: 
redundancy check data of at least some of the addresses, and 
a hash encoding result of at least some of the addresses. 
A preferred embodiment forlher comprises at each party a resynchronizer 
10 operable to detemiine from the control data that synchronization has been lost 
between die parties and to regain synchronization based on a predetermined earlier 

part of the derived bit source. 

A preferred embodknent further comprises at each p^ a resynchronizer 
operable to determine from control data exchanged between the parties that 
15 synchronization has been lost between the parties and to regain synchronization 
based on a predeteimined earlier part of the derived bit source. 

Preferably, the data communication process is arranged in cycles, tiie 
predetermined earlier part being exchangeable in each cycle. 

Preferably, the cycles are arranged into sub-units, each the cycle having an 
20 exchange point at its begimiing for carrying out the exchange of the predetermined 
earlier part of the derived bit source. 
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Prefcrably, the controUer b usable to toolv.de to fte oontrol messages, data U, 
ensare that a predetenntoed earUer part of the derived bit source of a same cycle is 
used for resynchronization at both the parties. 

Preferably, the controUer is usable to vary a control message m accordance 
5 with a sub^cle current at a synchronization ioss event, thereby to control the 
remote party to resynchronize ustog same the predetermtoed earlier part of the 
derived bit source. 

A preferred embodiment is c^le to respond to messages sent by a remote 
party followmg flte synctoonization loss event, to revert to same the predetemuned 
,0 earUer part of the derived bit source as fl» message todica.es that the remote party 

intends to use. 

According to a further aspect of the present invention there is provided a 
method of key management^th at least one remote party, comprising the steps of: 
sharing with the remote party a primary data sfream, 
15 using the primary data stream to form a randomizer, 

selecting parts of the primary data stream using the randomizer to form a 

derived data source, and 

using the derived data source to form crj^tography keys at predetermined 



20 



intervals. 

Preferably, Ae primary data source is obtainable as a stream of bits from a 
communication process between the two parties. 
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Preferably, the primary data source comprises a stream of data bits divisible 
into data units and comprising selecting at random from the data bits of each data 
unit 

Preferably the bits in the data units are separately identifiable by addresses, 
5 and the method comprises selecting the bits by using the randomizer as an address 
pointer. 

Preferably, selecting is earned out by using identically set pseudorandom 
data generation at each party, md using the derived data source as a seed for the 
pseudorandom data generation. 
10 Preferably, the method further comprises exchanging control data between 

the parties to enable each party to detemnne whether they are operating 
sjnachronously with the other party. 

Preferably, the control data includes any one of a group comprising: 
redundancy check dataofatleastsomeofthederiveddatasource, and 

15 a hash encoding result of at least some of the derived data source. 

The method preferably comprises determining from the control data whether 
synchronization has been lost between the parties and, if so, regahnng 
synchronizationbased on a predetermined earlier part of the derived data source. 

Hie method preferably forther comprises a step of exchan^g the 
20 predetermined earlier part of ^e derived data source at predetermined intervals. 
The method preferably fiuther comprises: 

determining a possibility of each party being at a different cycle at 
syndtironizalion loss, and 
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controlling the resynchronization to use a same predetermined earlier part of 

the derived data source at both parties. 

Hie method preferably fiirther comprises creating in advance a future cycle's 
predetermined earlier part of the derived data source for resynchronizing with a 
5 party that has ahready moved to such a cycle. 

The method may be used to provide key management for a symmetric 

cryptography algorithm. 



Brief Description of the Drawings 
For a better understanding of the invention and to show how the same may 
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cause 



be carried into effect, reference wiU now be made, purely by way of example, to 
the accompanymg drawings. 

With specific reference to the drawings m detail, it is stressed that the 
particulars shown are by way of example and for purposes of illustrative discussion 
of the preferred embocUments of the present invention only, and are presented in the 
of pro^^ding what is believed to be the most usefiil ^d readily understood 
description of the principles and conceptual aspects of the invention, fa this regard, 
no attempt is made to show structural details of the invention in more detml than is 
necessary for a fundamental understanding of the invention, the description taken 
20 with the drawings making apparent to tiiose skilled in ^e art how the several fomis 
of the invention may be embodied in practice. In the accompanying drawings: 

Fig. 1 is a generalized block dia^am showing two parties communicating 
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over an open network in accordance witii a first embodiment of the present 
invention. 

Fig. 2 is a generalized block diagram showing a communication device for 

use in the embodiment of Fig. I, 
5 Fig. 3 is a simplified diagram showing how each party may obtain an 

identical random data stream for use in Ae embodiment of Fig. 1, 

Fig. 4 is a simplified block diagram illustrating apparatus located with a 
given party for obtaining a random data stream firom a bitstream data source in 

accordance with the atnbodiment of Fig. 1, 
10 Fig. 5 is a simplified diagram illustrating a random data production procedure 

comprising two consecutive random processes of tiie kind shown in Fig. 3. 

Fig. 6 is a simplified block diagram showing a device for secure 
communication according to a second preferred embodiment of the present 
invention. 

Fig. 7 is a simplified block dia^ showing two communication devices of 
the embodiment of Fig. 6. connected together ov^r a communication channel. 

Fig. 8 is a simplified block diagram showing a secure communication 
device fiH^er incorporating fimctionality for maintaining and regaining 
synchronization during secure communication, according to a liiird preferred 
embodiment of tiie present invention. 

Fig. 9 is a simpUfied diagram showing how a process using random data 
may be structured for resynchronization, the structure being useM for the 
resynchronization embodiment of Fig. 8, 
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Fig. 10 is a diagram showing the structure of Fig. 9 in greater detail 
according to a preferred embodiment of the present invention, and 

Fig. 11 is a simplified diagram showmg in tabular form a protocol for 
ensuring that parties successfully resynchronize, in particular allowing for the 
possibility that the parties may not be in the same resynchronization state. 

Description Of A Preferred Embodmient 
Fig. 1 is a simplified block diagram showmg two users. Party A and Party B, 
communicating wsing a secure communication link over an open network 2 using an 
5 identical key, key x, generated by random processes, tiie key never having been 
transferred across any commmiication link, as will be explained in more detail 
below. 

In the following, key management according to tiie present invention will be 
described with reference to symmetric encryption systems, which means that it 

10 requires an identical key for encryption and decryption at each of tiie parties to the 
communication. Possession of the key by an outsider allows an eavesdropper to 
read the message and also to alter messages as tiiey pass by, the altered message 
appearing to the receiver as having been sent firom the legitimate originator. Key 
management according to embodiments of the present invention aHows the two 

1 5 parties to tiie communication to be in possession of tiie identical key witiiout tiie key 
having been ttansferred in any way across any communication chamiel, tiie key 
nevertheless being the result of a random process. 
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FIG. 2 is a sunpUfied diagram iUustrating a prefeoed s«ure co»mamca«ion 
„«„>agement devioe 10 for location at a party for secure management of a 
eommumcation link according to a firs, prefcred embodiment of the present 
invention. TOe link management device 10 carries out key management by using a 
a random process available at a party (Party A in Fig. 2). m diagram shov. 
principle fean-res of me link management device 10 and interconnection 
therebetween. Tte skilled person will be awe that a key management device of 
^ kind described can be executed in hardware and/or in software, fte device is 
^ble .0 pmvide continuous production of new keys for use in the communication 
10 link, and as wUl be explained below, two such devices remotely located, are able to 
work on «>e same random process to produce identical keys at remote locations 
wiflrout making ttie random data available for an eavesdropper. 

Link management device 10 comprises sU major toetional components. 
«ch for ate Mflllment of a different task. Each of .he component is 

1 5 interconnected as shown. 

A mam p««=ess unit 20 caries out local user processing. It may be the 
mterftce ti^ough which tire user enters his plaintext for communication and ti^ugh 
which he reads decrypted incoming messages. It may .ypically be a general purpose 
PC or part thereof. 

20 A Manage/control unit 30 manages and controls tire key management issue. 

especiaUy flie randomly produced keys. 

A router and arranger unit 40 routes messages to a communication port 44. 
and receives ™=s thereftom which have arrived ftom tire network, lire router 



23 



PCT/IL02/00571 

WO 03/009513 

ana arranger unit 40 additiooally ^orts ote um«. by arranging, p^aring and 
message bi. in a desired n«nner, as wiU be e^lained in nrore deuai 

t 

below. 

An encryption engine 50 is respon^ble for encrypting messages for secure 
5 transmission, and decrypting received encrypted messages, and also preferably 
«rtes out key management mission, including generation of Iceys. 

A pointer generator JadSSBELRB 62 prepares or generates pointers, 
hereinafter 'ELEB' (places to pick random bits) for use in executing «ndom 
processes as wiU be explained below. 
10 A random processor 70. associated with .he pointer generator 62. uses the 

output of the pomter generator 62 to carry out random processes. 

Main processor 20 transmits/receives regular messages (unencrypted) via a 
«r plaintext link 41. message is prefe^ly P-sed —ed through 
Router * Arranger 40. to or ftom the communication port 44, while messages 
15 recuiring secure transmission are sent via plaintext, Pm line 42 to encryption 
engine 50, wh«e Are plaint^ is "y encryptor/ decryptor. hereinafter 

Enc/Dec unit 52. to be ou^ut. in the form of cipher text, - via cipher text. CmU line 
43 to Router * Arranger 40. "n.e router & arranger 40 ananges the cipher text and 
,e„asittorandomprocessor70.aswellastod>eCommunicationPort44foro„,put 

20 via link 46 to the open network. SimUarly. secure encrypted received messages are 
reived fiom the communicatio. line 46, through Communication Port 44. into 
Router & Arranger 40 be arranged and sent to random processor 70. The router 
* arranger also sends the message via CIPH line 43 to encryption engine 50. for 
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•♦^9 The decrypted message is then sent to the main 
decryption by Enc/Dec unit 52. The decrypxea 

processor 20 viaPLN line 42. 

E„e/Deo«it52.isprefcablyfedwimchangingkeys. — produoedto 

. gene.«oo ^ 54, as wiU be explained to dCai, Wo« end d.Uib«ed 
5 via key line 53, to a key input to the Encrt)ec box 52. 

T^e random processor 70 is preferably loaded vdtb a bit sequence via 

connection 71, hereinaSer loader SB line, the bit science being fton> secure 
^.asesc„rrent.ybe^e.obangedandou.putby.beKou.er.Arranserunit40a. 

.escribed above, ^e bits sequence is supplied ^n> ..e rout, and arranger but a 
,0 .iecaontbereofis^adeusinstbepointersseouenceobn^^aloaderH^liue 
« .on..he pointer generator 62. A sequence of randon. bits is thus output .cm 
«,;randon.processorv^-RnaFo«;seMine73.a„disinput.o«.e key generation 
. ^.54,forrandonayprod„cingkeys.These<.uenceisi«f-blyadaitionaUyfed 

for randomly producing new random 
as an input into the random generator 62, for randomly p 

15 pointers. 

Manage/control unit 30 is respon^ble for .he activation, syoohrcnizadon and 
3i™ultanec^*correc.workingof«,c«nkn«nagen>en.de,ice.0a„dinparticular 

all of the parts thereof involved in secu. transn^ssion. including key productron 
^d key n-anage^ent. Management and control is exerted via control lines, for 

20 example C1..C5. link n«^en,ent device .0. control line CI. 31 .s 

connected ton^inuni.20. control line C2,32. is connectedtoenoryptionengine 50. 

control line C3. 33 is connected to pointer genera«>r 62, control line C4, 34 .s 
connected torandon, processor 70 and controllineCS, 35 is connectedtoRouter^ 
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Arranger 40. 

The Udc man^gemea. device 10 fl>us encrypt secure messages .«ing 
Keys. whic. Keys a. ^ -^-B 

tt.e «nd<» da» betng ^uced by rando. ,«>oesses .hat alongside and » 
« p«a.elwi«.*e encryption process as itproc^ds. Furfl.er.ore. «hen receiving 
secure messages. *e messages are aec.yp.ed using con«nua..y changing keys, 
which Keys are produced randomly, ma. is using random da. v*ich is i.se,f 
produced by random processes «.a. wo* al«.gside and in paraUel wiU. «.e 

decryption process as it proceeds. 

AS described above, drere is provided a sysum which, when dupUca.ed a. 
two parses, may provide a secure channel be«veen .wo communicaUng parses, for 
«^.«„g and receivh.genc.yp.ed messages in eid.erdirec«on, using con« 

. J Ko««^H kevs which same continually randomly 
randomly produced and exchanged keys, wnicn 

^uced and exchanged Keys may be u^ by «.e receiver for decryption, even 
« «.oughnoach«lKe,is«ansferred.T,.esys.em«.erebysolves.heKeymanasemen. 

issue as presented to the bacKground. 

Reference is now made .0 Fig. 3. which is a sm,plified diag«n of a process 

for d.e production of a random da«. stream for use wid. embodimen. of Fig 2. 
The diagram Ulus.ra.cs in tabular fo™ a preferred process for use in the random 

20 processor 70 of Fig. 2 . 

T1.e random process illustrated in Fig. 3 n.ay be considered in simple tenns 
as a digital analog of a s^aightforward -.hocse baUs ou. of boxes" process as 

. nrocesses and probability, in Which questions are 

featured in texts about random processes anu p 
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a^Ked about how many a« Wa* and how many arewhhe and in what order. It wiU 
of course be appreciated that fl.e random process illustrated in Fig. 3 uses bits 
(having values 0 and 1) instead of colored balls. 

The random process may be illustrated as foUows: Given a (or stream) of 

5 N bits, denoted ISB: sequence 74. each bit has an addressable position h. the stream 

,*ich may be denoted M - meantag «>at the stream bits are ordered and numbered ftom 
, to N, each thus denoted bit position having a content - x,. x„ . x„.„ xh (0 or 1). The 
content may be analogous to the colorsblack white of flieball analogy. 

^ SB se^^ence comprising N ordered stream bits. U held in a field 74 which is 
10 an^ogous to an arrangement of boxes holding the coloredbdls. 

separately ftom «.e SB bit sequence is a separate random bit field denoted -gE: - 
comprUing M columns ^d 3 rows: row 1 being the « row. which indicates a random 
Ht position in the M ordered random bits se<p.en« (random bit number), row 2 . the 
PLRB row ( Place of Random Bit ) which indicates in each of its cells - plrb, . phb, . 
-.5 plrb3,-.pW>M-adifferentaddressin,heSBs.reamtofindabit.tha.istosayeachcell 

U. the row contains a pointer to any of the bits in the SB bitstream. "n-e pointer is 
preferably used in order u. pick out a bit ftom flte SB stream and copy it into the ceU 
eorresponding.heretoinrowSdenoted.he-Ea.fiaB^--'''^'''-"-^*^"''' 

containing &e random bit content. 
20 -mus for example, if the SB were to comprise me toUowing 10 ordered 

3^ bits <N - 10) ,.0.0.6.1.1.0.0.1.1. which is to say that a>e content of SB 
position 1 is 1. the content of SB position 2 is 0. the content of SB position 3 is 0. 
theoonten, of SB position 4 is 0. the contentof SB position 5 is 1 and so on. 
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Hov. in U.e san.e ex^p.e. ,C « say *at KB is of lengB. 4 (M = 4) »a 

PLRB row positions contain ^ 3.5.9.3. .especUvely. T^en random bit 

„„»berUrM=l)basapirb. = 3.and*ereforebi.n™nb«3isseie.«.^«.e 

SB.whiohbappens«,haveaoon.cntofO. Likewise, — bitnu.bcr2(rb# = 2) 

a bas a pUb. = S. and bit number 5 is se.e«ed .o. ^ SB, bi. ,«si«on no. 5 
^vinga — ofl. Again.randon.bi.n„n*er3(A# = 3)hasapW, = 9. T1>«s. 
M.„„n.bcr9isse.eo.edfton.*eSB,wbiohbitpositionbasacon«n.of..Fu.any 

V ^ / ^* - 4^ has a plib4 - 3. and thos bit number 3 is selected 
random bit number 4 (rb# - 4) has a piroj . 

. *„fn Thns an ordered sequence of 4 random bits: 
ftom flie SB, wWch has a content of 0. Thns, an oroer 

,0 0 « ,,0(tbeoonte„tof.beceusof •KB-Con.enf in order, respectively) is obt^ed. 

Kow, preferably the SB stream is relatively long and comprises weU 
aistrihuted bits, .batistosayagood distribution of distributedz^os and ones. In 

represent con.ext.be term "well distrrW is taken to meantbat the bits are not 
i„ any kind of pa^tn, and the quantities of zeros and ones are close to e<^al. 
« Preferably, even for large numbers the ratio should no.be exaoUy 5W:50%. 

Furmem-ore «re number of random bits to be picked out of that stream b«s . 
preferably relatively much lower than the total number of bits present in «.e SB 
s«eam,thatistosayM<^. furthermore it Is preferable that tire PL.B stream, the 

addresses for picking bits ^m the SB s.eam Is ob^ined and hrtroduced entirely 
.0 hrdependentlyofti.eSBs.ream.Providedtireabovecooditionsare.lfiUedti.enti.e 

.hove mecha„is«mayberegardedasa«u.domprocess.ius.like.osslngafiUr com 
M times. 
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Reference is now made to Fig. 4, which is a shnplified schem^c diagram 
showmg a mechanism according to a preferred embodiment of the present invention 
to. carrying out bit selection as described above with Fig. 3. In Fig. 4, broken line 
arrows 75 symbolize selection by pointers of a bit ftom the respective bit stream, 
5 that is to say- which of the SB stream bits to copy, and die back duect^l fuU line 
arrows symbolize the act of copying of the content of that bit (0 or 1) mto tbe 

respective RB position. 

•ae PLRB pointer daU items (plrb„ where 1 S j S M) are defined snch that 1 
S plrb, S N, and aUowing rq.etitions means allowhig two or more "pUb's to be the 
10 Thus two or more random bits may be copied ftom the same stream bit as was 

in fact shown in the muneral example above, as the 1 st and the 4th random bits were 
selected from stream bit # 3. If not allowing repetitions then of course each 'plrb- 
wiU be different. GeneraUy, and possibly counter-intuitively, allowmg repetitions 
^ves fte sceater mix of posabiUties and therefore is preferably set as the default 
15 setting. 

Now, it is known that 2^ « if N > 2 and M a 1. As each bit can be a 

zero or a one, .hen having M random bits gives 2^ possibilities for d.e sequence of 
M random bits, but choosing M bits o« of N ordered bits, with repetitions gives 
possibilities. Thus guessing the final random bit stream obtained ftom the 
20 longer sequ«.ce using pomters is intrinsically harder than guessing an M bit 
sequence in itself. 
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Remnring to HG. 4. ftere is .ho™, a s«uc»re, «hioh may be imptemented 
in software, hardware or a hybrid hereof, for imp—tion of *e random process 
„£a,e kind illustrated in FIG. 4. -fte structure may be incorporated wflun random 

processor 70 in device 10 of FIG. 2. 

Kandomp,ocessor70preferablyoomprisesPLRBregister66.«hichholdsM 

r^dom bit pointers. The pomters are preferably input into random selector (HSH) 
76 via a connccdon demrted InpPlRnd. The random processor 70 fi^ comprises 
an §E register 74 which holds the N SB stream bits, and also comprises an RB 
register 77. «hich holds M output random bits, the output random bits being 

1 0 obtained as described above. 

Random selector- (FISH) 76 receives as an input the content of EtBB register 
66. ftrough line MEai as described above. Thus the random selector 76 is able 
.0 select bits from «.e §B register 74. using EstaJa 75. and to copy the selected bits 
via the CfiEy com^ecdon into the random selector 76. The M random bits may then 
« he<»*ut.throu^Hne»into8a.register77.fiom«hichthey»aybeusedas 

random data m whatever random process U needed. 

Random processor 70 preferably has two mputs as follows: 

a) Loader PLRB line 72 ftom pointer generator 62. fcr supplying 

M.RB register 66 with M pointers, and 
20 b) Load" SB line 71. ftom fte Router & /grange box 40, for 

loadmg SB register 74 with N ordered stream bits. 

:n addition there is provided a RndForUse output line 73. ftom RB register 
77 for supplymg the output M random bits to destinations such as encryption engine 
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50 and pointer generator 62. as illustrated m FIG. 2. 

reference is now made to Fig. 5 which is a simplified schematic diagram 
showing in tabular form two consecutive .andom processes of the Idnd shown in 
Fig. 3. 

.« . * A ;« xna S are named ^iSrocj and 
The random processes lUustrated m FIG. 5 are nam -i 

E^j^ ^specuvely. wherein *e index i (or i«) is used for indica«ng *e 
nun^ber of «.e random ^ ^ a se.,.ence of sncoessively ac«va«d random 
processes (each ac«vaUon heing one round of obui^ng an output of M ordered 
^doo. bi. fion. the SB). I^e index may he added to tttose parameters used 

1 0 already in FIG- 3 . 

U the embodiment, a series of different processes are used in ord^. 
KndProc,,RndProc,.KnaProC3.RndProc4 K is pref^hie to ensure that each 
^dom process differs ton each o*er random process, meaning that its output of 
M ««.do« bits is different ftom each other process in a random «ay. Thus 
15 preferably, for each process diffe»nt stream bits - SB are used, or different address 
bits - PLRB. in a particularly p«fer«d embodiment, both inputs, the SB and the 
PLRB. are changed for each process, and are se.ec«=d ftom independent source^ in 
order to improve the level of randomness. 

Reference is now made to Fig. 6. which is a block diagr«n illustrating a 
ao stmcnrre. implementable in sottwa.. hardware, or a hybrid the^f. for 
implementationof the random processes of the Idnd Ulustrated in Fig. 5. Tf. figure 
iUustrates the sequential manner of .he system. Parts that appear in earlier figures 
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given me same reference nwnerab ^ are no. discussed in de« again exoep. 
as needed for aannderstaidingoftiie present embodiment. 

no. 6 illustrates in g^r detail d.e device of FIG. 2 above, for achieving 
consecutive execution. To understand fl.e figure, it is necessar, to bear in mind that 
5 a current execution step is i.dica»d by index i. and the next consecutive step is 
indicated by index 

Thus. FIG. 6. differs ftom foregoing figures by including in encryption 
engine 50. a Dl delay register 55. In any process step i the key generator 54 
preferably obtains, via KndForUse line 73. the i"" step random scuence of M 
10 ra«dombits.andintnmgeneratesakeyKH,.wWchistransf«redviaKi,, line56. 

h,o Dl delay register 55 ready for use in the next. HI process, to provide a key 

therefor. 

Meanwhile, in step i, Dl delay register 55 output., via K, line 53. into 
BncypUon unit 52. a previously generated key. Kj. for use as an 
15 encryption/dectyptionkey.forthecfflrentprocess. 

Fig. 2 above had a pointer, or random address. ge„eh*>r 62. In .he 
embodiment of Fig. 6, the pointer generator is replaced by a randan address unit 60 
of whidb «>e pointer generator <2 is only one part. 

Thus. v«th reference to Fig. 6. random address unit 60 is p«ferably 
20 responsible for generating and handUng. in a consecutive mam.er. serially generated 
PLRB-s. the addressing or poimer sequences. P^ferably. .he pointer general. 62. 
Obtains, in step i. via R»dFo.Use line 73. the i«- step random se,uence of M random 
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to tarn gene«.es PLRBi,,. whid> it places in PLKBi,, agister 64. From 
^gi^er 64 .he generated PU<Bi« is transferred into D2 delay register 65, where it 
is stored for fte ne>C W process, to be used in tl.at process as an input PLRB. A. 
«,e next proces. it is thus loaded, via L^derPLEB line 72, into PLRB; register 66 
5 ofRndProcSectiomO, as to PLRB pointer sequence. 

Meanwhile, in step i, D2 delay register 65 outputs fl.e step i PLRB; pointers, 
via LoaderPLFB line 72, mo PLBBj, for use in current process i. 

Thus, FIG. 6 iUus.ra.es consecutive process activation. Consecutive process 

activation may Iw summarized as follows: 
„ to process i. encryption engine 50 encrypts or decrypts a secure piece of a 

message using a icey . A. to same time and preter^ly operating in parallel, 
random processor 70 receives inpn. datt ftom inputs as foUows: 

a.) SBi, The N Stteam bi« of to current process are received ftom Router & 
Arr^erSelio«40.viaLoaderSB.ine71intoSBiregis.er74(tos«eambi.sare 

15 preferably obtained fiom to cipher.e« piece currently passing M *e Kou.er 
& Arranger 40 as discussed above), and 

b) PLKB, to M pointers of to current process are oMained ftom random 

address unit 60^ via Leader PLRB line 72 and a.« loaded into a PIi«i pointer 
„gis.er 66. P^ferably, to poin.ers were generated one process earUer. ti.a. is to 
20 sayaspar.ofprocessi-l,intorandomaddressgeneralorunit60. 

R^dom Processor 70 is now able to produce to M random bi.s of to i* 
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Step, which may now be placed in RB register 77. 

At the same time and preferably in parallel, key generation unit 54 preferably 
generates a Icey K..^ for use in the next process. H^e Icey is preferably generated 
using the current set of random bits Rb, and pointer generator 62 preferably 
5 generatesthepointersforthene>astep,byuseofthesamecun:entrandombitsRb^^ 

In the following process, Ihe index i is preferably incremented and the above 

described procedure is repeated. 

Refe«>no. U now »ade «. HG. 7. which is a simplified block diagram 
Showing two of *e d.vic« of Fig. 6 connected toge*er for te purpose of carrying 
10 ont a secure con»unication. In FIG. 7. two parde. are Ulnstrated. each having the 
device of Fig. 6. Individual parts are given the same reference numerals and are not 
discussed again except as needed for an understanding of the communication link. 

Party A transmits a secure message to party B. It is assumed that the parties 
have attained synchronization and retained the synchronous state. Thus. Party A can 
15 in each case use meciphertexthefore transmitting itto the Commumcation Channel 
46. via communicadon Port 44. The ciphertext is prefe«*ly used as a source for 
Router & Arranger 40 to provide successive streams of bits SB; SBhi-SB^z. 
SBi^3, and so on throughout the duration of Are message, to support consecutive 
^dom processes. As di^ above, the successive SB streams may be used to 

• 1 ic K K-^o to be used successively along the 
20 produce encryption keys "f^+i^+l- *^+3' 

message length; 
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At tt.e same toe. party B uses fte ciphertex., toBowing reeeipt ftom the 
C—caUon Channe, 46. via p^ B's Coo».— n Port 44. as a source ftom 
which Router & Arranger box 40 is able to provide successive streams of bits SB, 
SBj,,SB^3. SBi«. and so on teoughou. the duration of the nressage. to support 
5 consecutive randc»n processes. As with party A. the successive SB streams may be 
^ to produce encrypUon keys Kj,, Vs. ^ — "^'^ "'"^ 

message length; 

The following notation is used in Fig. 7: 

a) PLN Hne42 isherenotated asPLN (x) - 'x' being the symbol for plaintext 
10 in the literature, 

. t_ ♦ «c PTPH rv^ as 'y' is a common symbol for 

b) CIPH line 43 is here notated as Cli'n W as y i 

ciphertext in the literature 

c) the CommumcatioB Channel 46 is headed «ith the symbols -y- and 'y"% 
me symbol 'y- inaca.es actual dam being ouiput to the channel, which is not the 

« same as the pure ciphertext y. but has. for example, added control bits, headers. 

etc. -n* ^bol indicates data as it arrives ftom U,e channel, which may be a 

• „f.hf messaae as outout to the channel, message bits 
noisy and distorted version of the message as 0U4, 

may change ftom 'O' to ' 1' and vice versa. 

H wiU be appreciaM a>at as long as the parties remain to syn<*rooization, a 

20 new encrypted message may be s«»ted ustog *e last pr«luced .ey of the previous 
message. Suchak.ymayhavebec„re.^ed.forexamp.eto.heDlke,regis.er55. 
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Tl,v,s as long as the parti« «maia in synchronizatioo, they are able to 
„«ntain a secure communication linlc usmg cryptography without transferring keys 
or like secrets over the lines. There is &us provided a closed solution to the key 
management issue discussed above. In feet, once synchronization has been carried 
5 ort, key <*anges may be made as often as required, to achieve a desired level of 
security, without requiring any substantial increase in the complexity of the link. 

Now, as wiU be described below, the preferred embodiments include features 
. for maintaining synchronization between the parties and for allowing each party to 
be aware that it is in synchronization. Tl« features include an abiUty to overcome 
10 normal leveUofchannel noise and distortion. 

It will be aK«eciated ftat since bits ot the ci^er text itself are used as one 
p^ameter to produce the random bits (RB) and the very same bits are used for 
generation of a fi«»re key, correct verslc»s of the message bits whi A are choosen 
,0 be the random bits are needed at the receiver. Thus, known bit error correction 
15 techniques are preferably used as part of the synchronization maintenance features. 
A system of acknowledgements between the parties preferably prevents occurrence 
of the Wtad of situation in which one of the parties moves ftom one process to the 
next whilst are other feils to receive a section of ciphertext and ttms gets left at an 
earUer stage, to fte event of total loss of synchronization a featme for regaining 
20 synchronization .ha. provides positive identification of the parties and excludes 
eavesdroppers, is also described hereh*elow. 

It will be apparent from fte above description ftat key marfflgematt, as 
provided in tire present embodiments, is a process that takes place sunultaneously 
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and synchronously at all parties over the dnradc« of *e conun^loation. Thus, in 
any given step i. pointer bits PLBB; are selected, strean, bits SB, are selected, 
preferably from current cipherte^ and output random bits RB, are produced. 
Further on in the appara«., a Rey is used ibr encryption/decryption of a message. 
5 which key was obtained a process step earlier, and was held in memory in readiness 
for use. T^. currently obtained random bits BB, are preferably us«. for generating 

for the next step. s.ep i... Prefer^ly the random bits Kb, ^ used to obtain bo* 
thepoi„tersPU«i.lfor«.enex.s.ageandtogenera.e*e.eyK,,,.mforegoiBg 

is refared to hereinbelow as key management. 
,0 tothefonowing.*eiss»eofaynchronizationlossisconsidered.namelywi.h 

what the parties may do in case they lose synchronization m respect of key 

cement, that is. in respect of the random processes, and conse<p.ent key 

generation. In the event of synchronization loss, one part, may be in process i«. or 

even i« or higher, while the other party remains in step i. C^«^ ^ 
15 partiesmaybe«singkeyKi..orevenKi«.orbigher.while,heo.herpartyisstiU 

using key Ki. In such circumstances, c^ttinued communication is not possible, 
which is to say tire parties cannot operate a simultaneous, synchronized or identical 
^dom process, and consequentiy cannot produce tire same encryption/decryption 
key. even though tire bit stream itself (SB) may be correctiy represented at boti. of 
20 the parties. 

Ttc issue of synchromzation is preferably deal, with as *ree separate issues 
as follows: 
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a) . Identification of syndironization loss. 

b) . Overcoming of low level synchronization loss, and . 

c) . Resynctoonization in the event of total synchronization loss. 
Identification of synchronization loss is dealt «ith in the present 

embodiments by exchanging control messages between the parties. control 
messages preferably carry information abo« mutnal synch«»uzation between the 
parties, abo« the key management process a. a whole, and information aUowing 
each party to tell about the current random process that the other party is in. 
parties are thus able to de«=,mine whether or not they are both in the same random 
p^ (both in process i or i.l etc.) in terms of random bit producfion, pointer 
producaon and key production. I. be appreciated that the control messages 
p^ferably do not contain sufficient information to allow an eavesdr„PP« to 
discover sufficient data *out die processes 

In a preferred embodiment, control messaging is carried ou, as follows: the 
control messages themselves may be in plain text - that is to say not in themselves 
encrypted, and preferably comprise indicator bits indicating states of sensitive 
p^ dat. S^^^ process data includes any of the random output bits, the bits 

of tbe key being used, and the pomters, 

Tl,e indicator bits are preferably produced by carrying out a one way funcdon 
0 on any of the -sensitive data', or by carrying out a one way hush fimction on such 
sensitive data, or are taken ftom redund^cy bits which are the result of an error 
detecfion c«.e used on the sensitive data, for example a CRC of the sensitive data, 
indicator bits allow another party to realize immediately if it is in synchronic 
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or no, by comparing received indica^r bits self calculated indicator bits. 
However, in the case of one way or hush functions the indicator bits are of no use to 
anyone who does not have his own identical process to con.pare it to. even if he 
p<.sesses the same one way toction. CRC check bits are preferably too sparse 
5 to give away any information, and thus confidentiality is sustained. 

overcoming of low level ^chronization loss is solved in the present 
embodiments by using the control messages between the parties to carry out an error 
correctioncodeprocedureontherandombitsproduced. l,.us the control messaging 

serves not only as an error detecUon mechamsm as explained above, but also as an 
10 errorcorrecUonfean^eforminoroasesofbitsem^sinthecommunicationprocess. 

Generany, the correction is applied to the SB streambits. ftom which evennaaily the 
RB random bits are selected. For the pr^t pun>osc. however, it is preferable fl^ 
fl,e bit selection is followed by executing an error correction mechanism at least on 
tt.e particular stream bits that are eventually used as random bits, or ^ the precise 
15 resultingrandombi.s,m Thus the parties are able to correct the particular stream 
bits, or the precise random bits RB in the ftce of expected or normal bit error rates 
over the communication link. Tl>us in the face of expected error rates, the parties 

remain mutually synchronized. 

Standarf error correction procedures such as may be used in the error 
20 c^re^on mechanism described above, comprise limits on the number of bit errors 
*ey are able to correct tor. The limits are generaUy set on system design and 
involve a trade-off between data rate and correcdon level. Thus it is possible to 
d^ign in very high levels of error correction but at the cost of cononunication 
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overhead. In any case, there is always a ma^um error level that is protected 
against and there is always a finite probabiliiy that such a maximum may be 
exceeded, for example during a burst of unexpectedly high error rates on the line. 
Such high error levels are li^le to lead to de-synchronization between the parties, 
despite the error correction abUity described above. 

Nevertheless, proper setting of the error rate maximum should ensure that 
loss of synchronization is rare. In one preferred embodiment the maximum error 
rate is set dynamically in that a measurement is made of the current noise level on 
the line and an error correction encoding level is set m accordance with the most 
recentmeasurement. Using dynamic error rate setting ensures that only very sudden 
changes in noise levels lead to loss of synchronization. 
Thus, the parties are able to: 

1. recognize whether they are or are not in synchronization, and 

2. prevent synchronization loss due to bit errors by correcting bits up to a 

i maximum error correction level. 

If the error rate is exceeded then synchronization loss is unavoidable. Such 
loss may occur for example as the result of a high noise event or a cut in the 
communication Imk etc.. In such a case, synchronization is preferably regamed 
without loss of confidentiality to outsiders and without giving the opportunity for 
0 outsiders to impersonate the other party. One known attack method against secure 
communications is to msert noise mto tiie communication, causing synchronization 
loss and tiie to attempt to gain synchronization with one or both of the parties, in tixe 
former case impersonating the second party. The parties are generally remotely 
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located, and «.e ^ of .^^^ is to achieve idendoal sensMve dau 
^, as defined above, at each of flie paries, to *e righ, places .o carry out fte 
e««n. step in synchronism and to return to the correct process sequence. 

The present embodiment achieves the above described re-synchromzation by 
5 keeptog an agreed backup set of the sensitive data, to use as what may be described 
as a resyncbronization point. Thus, when synchronization loss is recognized by any 
party, the other party is notified and both the parties u> the communication 
preferably r^chronize to the agre«i resynchrom»tion point, ftom which they 
are able to execute a mutually identical randan process and use a mutually identical 
10 random key. From the resynchronization point onwards the parties are able to 
continue as before. 

I, wni be appreciated that the backup data set must be randomly changed 
regularly or the resynchromzaUon point would be a major breach of security in the 
HOW such changes may be performed securely and without the random 
15 changes themselves leading to ftrrtherlc^s of synchronization. WHI be explained 

hereiribelow. 

Reference is now made to Fig. S, which is a.simplified block diagn^a 
Showing part of the device of Fig. 2 in greater detail, showing features necessary for 
executing resynchronization by use of backup data as referred to above. Parts that 
20 are identical to those shown above a. given the same reference numerals and ar. 

• n.«t necessary for an understanding of the present 
not referred to agam except as necessary lor 

embodknent. 

Given that syncteonization loss occurs only relatively infrequently, the 



41 



PCT/rL02/00571 

WO 03/009513 

a lower ftequency thao the tegular random processes. 

Preferably in fte regular random processes for each pie« of daU of such a 
message, stepping or advandr^ between one process and the ne« Is t^ed such . 
S .„..owthe.e„^(h.«ts)ofa.eytobethesameasthe.eng.hofthedatathe.ey 

which is to say. any given key is retained for the length of time taken to 
output a number of message bit. e<^ .« .he length of the key. Conse,uen,ly. for 
^ given rate of data transfer, there is mulUple key changing for any message of 
significant length. 

on the other hand, the re^chronization points are randomly ex^anged only 
once in many regular key changes. The exchange of resynchrom^tion points is 
carried out sUenUy to d.e background, ,o be ready for use as needed. 

Rg 8 shows more detailed versions of encryption engine 50 and random 
aadress genera«,r 60. showing additional features for handling 

15 resynchronization. 

Encryption engine 50. Urns additionaUy comprises a backup key register fflt 

A/rwivf mi-K 58 a key in use register K-InUse 51, 
Kgm 59, a backup key memory MF.MBU-K a Key 

and backup key connection 57. random address generator 60, 

additionally comprises a backup random pointer generator BlI:EadG^ 69, 

• t . UTTPl RB 68 and pointers in use register PlJ^toUse 67. 
20 backup pointer register gUPLSg ana pui 

'A^ « QPlf standing back up random bits register BU-^ - 
Additionally liiere is provided a selt stanamg oo. v 

78. 

D«i„g „«mal synchronized processing, the pointers m use register 
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^j^^ « «^es fto» m .giste. 65. *e set of pointer pn=pared during ^ 
p.viou.processforusein«.ec„^tp»cess.ln«>eev...ofs^c— moss. 

A ^ T>x umnUse 67 takes data for use as pointers 
for activating a backup procedure, PLRBInlJse 

^ .c^P po... «gis«.^m^ 6S instep of m 65. ^ baCp 

S pointe,..is.«^™6«'-P-^-^'^''=--^*'°"°'=-""^""""^ 
backup damforprovi<tog pointers for useinresynchronization. 

^ebackupda«.for^ovldingpoin.ers«..hasbeenstor«iinback«ppoin.er 

.gister^EaSS t«x 68. is preferab., da. «.at has been gene«.ed ear«er on n. 

«w T«T RndGenPLBB 69, using random input bits 
backup random pointer generator BTT-T^nrtwenri. , 

. r.cri.ter BU-RB 78, which has been accumulating 

10 stored in back up random bit register BIJKS 

random bits for such a purpose. 

• * . T>T nBTnUse 67, takes on the role of a gate that 
Hius, pointers in use register PT.RBIn^se o /, ku^ 

aeciaes«batinp«t-ei.ber^n.am^6Sor^mregis.er65-.passon«, 
«>epointersi„useregis,e.EaHl«EH«7for.sein*e Cerent randomprocess. 

Meanwhile. In encryption engine 50. d^g regular processing. «.e key » 

. o- 1!.. « ftom Dl resister 55, a tegular key. 
^ register KJnUH 51 obtains, via K. toe 53. ftom Dl r g. 

forced in the no^a. W a. described above for eKecuUng a regular 
e^^n/deoryptionstep. By contrast, during synchronizati- loss, as par. of .he 
«^vationofabackupprocedure..hckeyinuseregistcrJC^31t*es.vi^ 

20 K line 57, a backup key from backup key memory MEStBStE 58. 

P^ferably. the backup key s«»=d h. backup key memory ,mlM^ 
basbeenseneratedbeforehandi„backupkeygeneratorBU^59,byagenera.» 

^ »,dom input bits .om ba^ random bit regis.. 7S, which has 



PCT/IL02/00571 

WO 03/009513 

^ acoumulating nmdom bits as desoribed abov. in respeot of backup pointer 

generation. 

r,^ in-use key agister ja»U^ 51 plays *e ™le of a ga« fl.a, decides 
^ch input - either from backup key memory MBtBtS 5S (connection 57) or 
5 ftom the Dl register 55 (connection 53) - to pass to fl>e key in use register 
51 fOT use as the key, in cuirent encryption/decryption processing. 

m backup random bits register SiiBS 78, preferably accumulates and 
stores backup random bits. -aeback up randombitsitstores may be anoutcome of 

Wividuai or mumple regular random processes, as «ill be described in more detail 
« below. AS d^cribed above, the backup -andom bits are used as random input for 
generating backup keys and also backup pointers, thereby to create the data 
necessary for effective resyndironization. 

The backup key - stored in backup key memory MSLffitK 58- and the 
^pointers-stored inback^ppointer registers™ 68- may be considered 

15 as a last resort for the parties to regain synchronization. As mentioned above, the 
backup data is p^fcrably cha«g«. randomly, and the changing-over of backup data 
therefore must not itself lead to an inabiUty to synchronize. 

to the following, a mechanism is described for preventing loss of 
synchronization due to exchange of backup data, m oflter words a mechanism for 
20 ensuring reUab.e backup data exchange and ensurmg fl»t the two parties attempt to 
synchronize using the same backup data. 

to order to de^be the mechanism a number of definitions are introduced as 



follows: 
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a The back «p synchronization, or s.BSi«v., da« refers «. «>e backup 
pointer preferably stored in the bac^ .winter register BUPLRB 68. together 
^.h the key stored in the backup key regi^er MEM BU-K 58. "Hiebadcup 

sensitive da«> changes in a random way but identicaUy and synchronously a. 
each of .he two parties, once in a series of a prede^ed number of L Regular 
successful connections between the parties - Suoh a series of a prede.e.™.ed 
nuntber of L ejections is refened to as a cycle. (e.g. - number of connections 
in a cycle =L^28) 

b. A connection refers to an enctypted conmtunication ftom one party to 
the other, having a definable beginning and a definable end. Such a connection 
may often be foUowed by a connection the other party bade to the firs, 
party in the cov^e of the connections both parties use - as the transmitter for 
encryption, and as me receiver for decryption - randomly generated and 
^gularly changing keys, which are generated, as described above by use of 
^donmess produced by executing serial consecutive processing. As discuss«. 
above, a random process produces a random bit stream using randomly 
p^uced pointers PLRB. and stream bits SB obtamed ei^er directty or 
otherwise, ftom the ciphertext of the connection itself. 

al.ema.ive embodin,en.s the bBs may be obtained ftom other 
sources, as long as the bit source is something u> which both parties have 
confidential access. 

c. A connection preferably comprises consecutive muts defined here as 
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sections, each section being a stteam of ciphertext bits of a defined iengfli. A 
„e« «ndom process Is begun for each section including the use of a newly 
generated random key. 

d. Each section thus represents a specific random process, and includes 
ob^nniBg the output random bits (M random bits) of the respective random 
process, and a production of a section key. and section pointers. A connection 
oomprises at least one section, the total number of sections in ti>e connection 
d^ding on the total length of the comiection. 

e. A Regular connection is a connection that begins in synchronization. 
ti.at is to say begins by using the sensitive data left fiom the previous 
connection. 

£ A successful connection U a any connection that ends v*h the parties 

Still in synchronization. 

g. Thus. A <g-cle is built of L consecutive success&l regular comiections. 
15 and a connection is built of 1 or more sections. 

h. At the end of a cycle the back up sensitive data - namely the back up 
Key stored in back up key register MEM BU-K 58. and the backup pointers 
stored in backup pointer register BUPLEB 68 - are changed randonJy and in the 
background, that is. a new back up key is produced by backup key generator 

20 BU-Kgn 59, and ti.e result is entering and stored m backup key memory MEM 
BU-K 58, to replace the previous backup key. Likewise new back up pointers 
p^uced in backup random generator BU-RndGenPLRB 69, are entered and 
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^ to backup pointer register BUPLRB 68 to replace the previous bactop 
pointers. Both the back »p key and the back ^ pointers are preferably 
generated ftom back uprandom bits gathered during the first K Sections of the 
respective Cycle. Typically the firs. K Sections may be ftom the first 
5 connection irx the cycle, or at most ftom the very first few connections of a 

cycle. 

i. Any party that notices, as described above, that it is out of 
synchronization, preferably ceases counting regular connections within the cycle 
and preferably fteeze, at the current position to tite cycle. That is to say the 
10 cycle counting ceases, not flie connections themsdves 

j. After recognition of loss of synchronization, the parties preferably 
begto. as part of a new connection, titat is. a. the connection to«nediately 
foUo™.g. «> execute a back up activation procedure. The procedure tovolves 
^ the back up key and the back up pointed - to begin *e first section of 
15 dte new connection. FoUowtag the first section based on ti.e backup data, the 

consecutive sections of that connection are begun in the normal way of 
advanced regular keys and potaters and tite connection continues as any oUter. 

k. After a back up activation, the first foUowtog suecessfiti regular 
«.m«ction begms a new cycle, meaning that new random data is mitially 
20 gathered to form a new set of backup ra»lom data. The successfiU regular 
connection may be conside«d the first successft.1 regular connection of ti>e new 
cycle and the successfi.! regular connections are counted hereon ftom 1 to L. 
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Reference is aow made to Fig. 9 «hich is a sin^lifled diagram shovring 
connections and liow ftey are counted in cycles. 

In FIG 9 tliere are shown cycles of successM regular conneotions. As 
described above, a, the end of a cycle - meaning at .he end of successful regular 
5 comiection number L of that cycle - the parties change ti>e back up sensitive data. 
The actual point of changeover is marked "Bu Chang Potof in the fignre, and a new 
cycle begins, again rumung ftom successfld regular connection number 1 to 
successfl.1 regular connection number L, at which point a new -Bu Chang Point', is 
reached. 

1 0 AS discussed above, flic changes in the bade up sensitive data consist for their 

production on randomness gathered and saved in BU-RB 78 during flte first few 
sections of the first successfld regular connection(s) of a Cycle, and which 
randomness preferably has already been used for and by flte regular keys and 
pointers production, during Uxe course of flte regular sections, prior to its use at fl« 
15 change over point, ti,at is. at the end of a cycle. Tlat is to say, the random bits are 
used at one part of ti>e cyde to form a regular comiection and the same bits are later 
used to form .he backup data, far apart from the regular use of ftose random bits. 

lie feet tt«t die backup uses data that has already been used in the regular 
process, means that, since tire regular processing has succeeded wifcout loss of 
20 synchronization, tiie data must be correctiy held a. tire two parties. Had the data 
been incorrectiy held at one of the parties flren ti.e regular cycle would have lost 
synchronization at fliat point, leading to *e backup procedure being carried out at 
tot point and new backup data being selected for «« new cycle. One issue remains 
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fiom Byzantine agreement problem, namely ho« to ensure that party is still 
on the same cycle. That is to say loss of synchronization may occur at or near one 
of .he changeover points, to such a case, it cannot be guaranteed that movmg into a 
new cycle and changing over ttte backup sensitive data is carried out synchronously 
5 between .he two parties. That is, one party may have moved on and changed over 
the back up sensitive data before the other part,- peAaps due to the loss in 
synchronization. If the parties subsequently attempt to resynchronize usmg different 
backup sensitive data then it may be appreciated that resynchronization is not Bkely 
to succeed. 

,0 Refferenc. is now made to Fig. 10, which is a simphfied connections diagram 

showmg internal strucnu. of areas that may be applied to a smgle cycle m order to 
overcome the above^e^bed problem of loss of synchronization in regard to the 
backup sensitive data being used if back up activation is needed m the vicinity of a 
change over point In accordance wift the embodiment of Fig. 10, a cycle is 
15 preferably divided into 4 Areas. The four areas are herem denoted as follows: a 
steady area. atransi«>t-2 area, atransient- 1 area and a .ra.>sient+l area. 

The areas described above are deflned over the cycle and the parties »e 
preferably constrained to that they a.« not aUowed at any time to deviate fiom each 
otiter by more than one area. Such a rule may be enforced usmg the con.«.l 
20 messaging described above. Tl.us. m the case of loss of synchronization, then 
provided ftat loss of synchronization is spotted quickly, it may be presumed titat the 
parties move away from each other by a maximum of one more area. Thus a worst 
case separation of two areas may be assumed. In thecaseof communications which 
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are smaller than a section in leog* it may be as^med tot a worst case separadon of 
one areais in operation. TTtus, a Cycle is divided inu> 4 areas, and a constraint is set 
in .hat the parties can be separated ftom each ofter by one area only. T^, if the 
pardes are out of synchroni^on. and if they recognize the synchronization loss 
5 immediately then the cycle counting ceases in accordance wifl. rule i above, -ftus 
the parties may be separated by 1 or 2 Connections costing, a separation of two 
connections being a worst-case scenario. Given areas that themselves consist of 
ntore than 2 Connections, flte constraint works by preventing the separation fiom 
exceeding one atea. Tbua. in a preferred embodiment areas comprising three 
10 comiections are used, to provide leeway for effective resynchronization 

TT,e Bu Change Point has what we may define as gray areas close by on 
either side. TTe gray areas are areas in which it is possible that that one party has 
crossed the change over point and ate other party has not -n.us.in.hc gray areasd^e 

position of fte other party is undefined, leading to a dUemma as to what to do. Tie 
16 parties therefore care&Uy follow the procedure as will be outlined below, and must 
take care wi* discarding backup information following achangeover. In achieving 
a synchronized changeover the considerations of the Byzantine agreement problem 

are taken into account. 

Tire Steady Area, as shown in Fig. 10. is relatively far from the last change 

20 over point, and relatively 6r before fte nex. change over point In case of de- 
synchronization, a party in d,e steady area may use the cunent back up sensitive data 

in Ml confidence aatUteoteparty is using ate samebackup sensitive data,ba3ed 

on the presumption that the other party is in the same area or in a nearby one, eitoer 
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onebeforc or one ahead. In eitocasebomhavefte same stor«lba«kap-s«saive 

data', and are thus able to resyncteonize. 

•ae Transient - 1 Area, is a gray area. whiol> is ti>e area jns. before the 
changeover point. Here the party must bear in mind that one possibUity is that the 
5 od,er party may have moved to the next area, to Tie Transient + 1 Area, that is 
cro^.hechangeoverpoint.andhaveinstoragethenewbacknp -sensitive data'. 

Tie Transient - 2 Area, is one more gray area just before The Transient -1 
Area and just after the Steady Area. 

Tie transient +1 area immediately follows the <*angeover pomt A party in 
10 the transient M region at the time of synchronization loss must bear m mmd that 
there is a possibiUty that the other party may not have changed over and may stiU be 

in the previous cycle. 

■me resynchronization arrangement inctades the foUowing rules: 

The pay areas each comprise only a few connections, for 
15 example toe comiections. At the change point (at flte end of comiection L) 

new, ftesh back up sensitive data replaces the old data in the main memory 

4. - ir^tr. tVi*. transient+l area the main memory 
storage. Thus upon entenng mto the transiem^i <uca 

comprises the new 'sensitive data'. 

At the transient -1 area and at ihc transient -2 area i &e old 
20 back up sensitive data is stored in the main memory. However, it is possible 

to use, the new data, as necessary, even thou^ it is not yet in the main 
storage, by generating it as required from the back up randomness stored at 
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the beginning of the Cycle- 

U me gray areas have been «ach«l «hen «>e new back up sensitive data if 
^.cleatiy acetate, fo. the masons ontiined above, namely that the bacU up 

^ ^ use. to generate the new sensitive data bas already been used 
successMyfor^guIaroonneeUons. Never.he.ess. at this point, the oid sensitive 
information is still held as it is m the main memory storage. 

at the transient -1 area ^d a. the transient -2 area .he main memory 

Uie new sensitive data may be 
randomness gathered at the bediming of the 



retains the old back up sensitive data. However 



generated as required, from the back up 
10 cycle. 



Operaaon of the resynohronizaUon using *e areas as described above is now 

^es reacts to ^ different ^"ble circumstances when synchronization loss 
^eursineachoftbeareas. « wiU be appreciated that there are numerous v^iations 
..mewaythattwopartiescanachievesuccessfblresynchronizationbasedon^e 

nse of areas and the foBowing is exemplary only. 

P^ferably. at each c^nection. the pardes exchange con«,l messages. Each 
eomrection has one party defined as d>e transmitter and one party defined as d.e 
The transmitter p^ferably che<*s its own local control parameters to 
20 detetmiaewheflieritismsynchronizaaonornot. 

.„ its own local con«ol parameters indicate it to be in synchronization, flren 
„^ogni«sd.esin.tionasaregularconnecUonanduses.egularsensi.ivedatato 
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^ fl.e conneotion. im.rm^ P-ferably sends «, a.e receiver a eonteol 
message indicating a regular connection. 

. If its local control parameters indicate synchronization loss, flien the 
t^smitter recognizes fl.e sih>a.ion as a back up connection and uses bade up 
5 sensitive dam to start «.e connection. The transmitter preferably sends to the 
^ver a control message indicating a back up connecdon. Tbe Transtnitter then 
adds an additional field to the control n«ssage mdicating which back up sensitive 
data is to be used: the old data or the new data. 

He Recover receives the control message fton, the transmitter and either 
10 a^.o.hemode(reg»larorbackup)ordisagrees. Agreement and disagreement 
depends on d>e receiver's own analyris of the control message receiv«i. and on the 
local control parameters. In general the receiver is allowed to force the transmitter 
teto a backup mode but it is not aUowed to force the transmitter out of a backup 
mode, giving the effective result that any party discovering synchronization loss is 
1 5 able to force resynchronization, that is, the activation of bade up mode. 
For back up mode the transmitter acts as foUows: 

Selection of which backup Sensitive data to use is made by the transmitter. 

The transmitter notes which area it is in. 

Kit is in the steady area then it has. in its permanent memory the cmrent 

20 (old) back up sensitive data. The transmitter thus uses .he cutrent (old) backup 

sensitive data and signals "Old" to the recdver. 
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• ♦ o Area it has in its pennanent memory the 
Ifthe transmitter is in the traiisient-2 Area It Has mi P 

V H.ta It thus signds to the Receiver "Old" and uses 
current (old) back up sensitive data. It thus sign 

the current (old) back up Sensitive data. 

Kthetrarismitterisinthetransient-l areaithasinitsperm^^^^ 

. eurrent(old)backupsensitivedata,butitmessagestothereceiver 'Ke.' .duses 
thenewbackupsensitivedata -.e.r inthetable^bygeneratingitspecifican^^ 

. explained above, .om the back up random data gathered beforehand, at the 
heginningoftheCycle. ^s is because the receiver ma. ^ead. have changed over 

3.d is in the transient.1 area of the ne. cycle, thus no longer having the old 

v.aQ the new sensitive data, that 
10 sensitive <Wa.bu. in ttscurteatpermaneB. memory has the new 

is ofihe new cycle. 

„4e.»nsn.«erisi„«««nsienm-a.he«ansn.«erhasini«pennane.* 
„en.«y«.ene,.<ne„).-upsensiUve«a.».iS»a.sW«.«.e«eeive,ana 

_ ^ (in ^^P -«ve ^ w-^ch is .e ne. (new) one 

16 relative to fee last cycle. 

At tiie same time tlie recdver acts as feUows: 

„«.e recover is in the steady a«a it Simply uses the current (Old) bacKup 
s^.Wedata,tl.tist.e«^sensi.ive<.atait.«.i«itspennanentm 
ignores the co«W.l message recdvddftom the transmitter. 

„ the Receiver is in «.e transien.-2 area it selects whether use the current 

received. 
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If the receiver is in transient-1 area then again it uses either the current or 
new (that is created on demand) backup sensitive data depending on the control 
message received. 

If the Receiver is in The Transient+1 Area, then it ignores the control 
5 message and uses its current (in memory) backup Sensitive data, which is the next 
(new) one relative to the last soon ended Cycle,. 

It is appreciated that the above embodiment has been described in terms of 
the transmitting parly controlling the resynchronization process. However 
alternative embodiments are possible in which a single party is initially designated 
10 as Ihe master or the receiving party controls the resynchronization, as the skilled 
person sees fit. 

It is noted that whichever of the versions of backup sensitive data is used (the 
that of the cycle ending, that of the cycle begimiing or on demand prior creation of 
that of the foUowmg cycle) then all that is needed is for succeeding comiections to 
1 5 be successful for it to be clear that the resynchronization has worked. 

One more point is tiiat, foUowmg flie backup resynchronization procedure, a 
new cycle is initialized, initiating the counting of successful regular comiections 
ftom 1 to L again. Preferably, new back up random bits are gathered and stored 
from first sections of the newly begun cycle to be used at the end of that the newly 
20 begun cycle for generating new back up sensitive data for use in any of the ways 
mentioned above. 

The above system provides key management and a result of the above is a 
valid strong encryption/decryption key. Hie key management system is suitable for 
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^eMc eaor^tion and in paxticular may support DBS. Al«n>ativdy where Are 
key matches the message bits m length it can be used in simple bi^vise arithmeac 
with are message bits in a procedure similar to that commoaly used with one-time 

pads. 

5 I, «iU be app^ciated that, whereas the invention has been described above in 

terms of commmucaUon between two parties, ftrther embodiments are applicable in 

v^ich there are three or more parties to a communication Ihus the invention is 

nsable in a mobile radio system having a base station and runnerous mobile stations, 
or in an intercom system, whether star connected or net connected or connected in 

10 any other way. in such embodiments the randomness is obtained in an identical 
^„ and resynchromzation is controUed as before by whichever of the parties is 
the transmittmg party, or accordmg to any other control arrangement that may be 

considered. 

It is appreciated that certain features of the invention, which are. for clarity. 
15 described in the context of separate embodiments, may also be provided m 
e^nbmation in a single embodiment Conversely, various f^mres of Ure invention 
„hich are. for brevity, described in the context of a single embodiment, may also be 
provided separately or in any suitable subcombination. 

Kwillbe appreciated by persons skiUed mto artthatthe present invention is 
20 no. limited to what has been particularly shown and described hereinabove. Rather 
the scope of .he present invention is defined by the appended claims and includes 
both combinadons and subcombinations of the various features described 
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Hereinabove as weU a. variations n.oaificaUons ^.ereof v.bioh would occur to 
persons sUUed in fte art upon reading the foregoing description. 
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Claims 

1. Apparatus for use by a first party for key management for secure 
communication with a second party, said key management being to provide at each 
party, simultaneously remotely, identical keys for said secure communication without 
transferring said keys over any communication link, the apparatus comprising: 

a datastream extractor, for obtaiiung from data exchanged between said parties 
a bitstream, 

a random selector for selecting, from smd bitstream, a series of bits in 
accordance with a randomization seeded by said data exchanged between said parties, 

a key generator for generating a key for encryption/decryption based on saia 
series of bits, 

thereby to manage key generation in a manner repeatable at said parties. 

2. Apparatus according to claim 1. the random selector being operable to 
use results of said randomization as addresses to point to bits in said data^am. 

3. Apparatus according to claim 1, said key generator operable to generate 
a new key after a predetermined number of message bits have been exchanged 
between said parties. 

4. Apparatus according to claim 3. said predetermined number of message 
bits being substantially equal to a length in bits of said key. 
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5. Apparatus according to claim 1, further comprising a control messager 
for sending control messages to said remote party, thereby to indicate to said remote 
party a state of said apparatus to enable said remote party to determine whether said 
remote party is synchronized therewith to generate an identical key. 

6. Apparatus according to claun 5, fiirttier comprising a synchronized state 
determiner, for determining from control messages received from a remote party 
whether said apparatus is synchronized therewith to generate an identical key. 

7. Apparatus accordmg to clahn 6, further comprising a resynchrdnizer, 
associated witii said synchronous state determiner, said resynchronizer having a 
resynchronization random selector for selecting, from a part of said bitstream 
previously used by said random selector, a series of bits in accordance with a 
randomization seeded by said data exchanged between said parties,, in the event of 
determmation of synchronization loss, thereby to legam synchronization. 

8. Apparatus according to claim 7, wherein said series of bits is a series of 
bits previously used by smd random selector. 

9. Apparatus accordmg to claun 6, wherem said control messager is 
operatively comiected to smd synchronous state determiner, thereby to include within 
said control messages a determination of synchronization loss. 
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10. Apparatus according to claim 7, wherein said control messager is 
operatively connected with said resynchronizer, to control said resynchronizer to 
carry out said selection m the event of receipt of a message from said remote parly 
that said remote party has lost synchronization. 

11. Apparatus according to claun 7, said data communication being 
arranged in cycles, said part of said bitstream being exchangeable in each cycle. 

12. Apparatus according to claim 11, said cycle being arranged into sub- 
units, each said cycle having an exchange point at its beginning for carrying out said 
exchange. 

13. Apparatus according to cldm 10, said messager being usable to 
exchange control messages with said remote party to ensure that a same bitstream 
part is used for resynchronization at both said parties. 

14. Apparatus accordmg to claim 12, said messager being usable to vary a 
control message m accordance with a sub-cycle current at a synchronization loss 
event, thereby to control said remote party to resynchronize using a same bitstream 
part. 
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15. Apparatus according to claim 14, operable to respond to messages sent 
by a remote party following said synchronization loss event, to revert to same said 
bitstream part as said message indicates that said remote party intends to use. 

16. Apparatus according to claim 1, comprising circuitry for determining 
which of itself and said remote party is a transmitting party and being operable to 
control said synchronization when it is a transmitting party and to respond to control 
commands of said remote party when said remote party is said transmitting party. 

17. Apparatus according to claim 6, wherein said synchronized state 

determiner comprises: 

a calculation circuit for carrying out an irreversible calculation on any one of 
said bitstream, said randomization, said key and derivations thereof, and 

a comparator for comparing a result of said calculation with a result received 

from said remote party, 

thereby to determine whetha: said parties are in synchronization. 

18. Apparatus according to clmm 17, wherein said irreversible calculation 
comprises a one-way function. 

19. Apparatus according to claim 1, said system being operable to provide 
key management for a symmetric cryptography algorithm. 
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J- ^laim 1Q beina constructed modularwise such 

20. Apparatus according to claim ly, Deing coumi 

that said cryptography algorithm is exchangeable. 

21. A system for providing key management between at least two separate 

parties, the system comprising 

a primary bitstream for exchange between said parties, 

and at each party: 

a selector for randomly selecting, at predetennined selection intervals, of 
said primary bMstreanr .0 fom, a derived bit source, each se.ecu>r being operable «. 
nse said derived bit source, in an identical manner, to randomize said selecting, and 

a key genera«>r for generating cryp«.graphy keys at predetermined key 
generating intervals using said derived bit source of a corresponding selection 
interval. 

22. A system according to claim 21. therein said primary bitstream is 
obtainable as a stream of bits ftom a data commmucation process between said ^.o 

parties. 

23. A system according to claim 21. wherein said bits in said primary 
bitstream are separately identifiable by an address, ^d wherein said selector is 
operable to select said bits by random selection of addresses. 
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24. A system according to claim 21. wherein each selector comprises an 
address generator and each address generator is identically set. 

25. A system according to claim 21, further comprismg a controller for 
exchanging control data between said parties to enable each party to determine that 
each selector is operating synchronously at each party. 

26. A system according to claim 25, wherein said control data includes any 

one of a group comprising: 

redundancy check data, and 
a hash encoding result, 
of at least some of the bits fiom said derived bit source. 

27. A system according to claim 25. wherein said conteol data mcludes any one 

of a group comprising: 

redundancy check data, and 
a hash encoding result, 
of at least some of the bits of said randomization. 

28. A system according to claim 25, wherein said control data includes any one 

of a group comprising: 

redundancy check data, and 
a hash aicoding result, 
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29. A ^ -cording «. claim 25. wherein said conttol daU inctodes any 

one of a group comprising: 

redundancy check data of at least some of said addresses, and 
ahashencoding result of at least some of said addresses. 

30. A system according to claim 25. further comprising at each party a 
^chromzer operable to determine fro. said control data that synchronization has 
^ lost between the parties and to regain synchronization based on a predaermined 
earlier part of said derived bit source. 

31 A system according to claim 22, fbr&er comprising at each party a 
^chronizer operable to determh.e ftcm control data exchanged between said 
parties that synchromzation has been lost between said parties and to regam 
synchronization based on a predetermined earlier part of said derived bit source. 

32. A system according to claim 3 1, said data communication process bemg 
ranged in cycles, said predetermined earlier part being exchangeable in each cycle. 

33. A system according to claim 32, said cycles being arranged into sub- 
units, each said cycle having an exch^ge point at its beginning for c^rying out said 
exchange of said predetermined earlier part of said derived bit source. 
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34. A sy^ according to claim 30, said conttoUer being usable to include 
in said control messages, data to ensure Itot a predetermined earlier part of said 
derived bit source of a same cycle is used f« resynchronization a. both said parties. 

35. A system according to claim 33, said controUer being usable to vary a 
control message in accordance ^ a sul«ycle current at a synchronization loss 
event, thereby to control said remote party to resynchronize using same said 
predetermined earlier part of said derived bit source. 

36. A system according to claim 35, operable to respond tx> messages sent 
by a remote party foUowing said synchronization loss event, to revert to same said 
p^termined earUer part of said derived bit source as said message mdicates that 
said remote party intends to use. 

37. A method of management «ith at least one remote party, 

comprising the steps of: 

sharing with said remote party a primary data stream, 
using said primary data stream to form a randomizer, 

selecting parts of said primary data stream using said randomizer to form a 

derived data source, and 

using said derived da«. source to fom, cryptography keys at predetermined 

intervals. 
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38. A method according to data 37. wherein said pitoaiy data source is 
obtainable as a stream of bits &om a connnumcation process between said two 

parties. 

39. A method according to claim 37, wherein said primary data source 
comprises a stream of data bits divisible into data units and comprising selecting at 
random from the data bits of each data unit. 

40. A method according to claim 39, wherein said bits in said data units are 
separately identifiable by addresses, and comprising selecting said bits by using said 
randomizer as an address pointer. 

41. A method according to claim 37, wherein selecting is carried out by 
using identically set pseudorandom data generation at each party, and using said 
derived data source as a seed for said pseudorandom data generation. 

42. A method according to clahn 37, fiirther comprising exchanging control 
data between smd parties to enable each party to determine whether they are operatm^ 

synchronously with said other party . 

43 . A method according to claim 42, wherein said control data includes any 
one of a group comprising: 
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redundancy check data of at least some of said derived data source, and 
a hash encoding result of at least some of said derived data source. 



44. A method according to claim 42, comprising determining from said 
control data that synchronization has been lost between the parties and regaining 
synchronization based on a predetermined earlier part of said derived data source. 

45. A method according to claim 44, further comprising a step of 
exchanging said predetermined earlier part of said derived data source at 
predetermined intervals. 

46. A method according to claim 45, further comprising steps of: 
determining a possibihty of each party being at a different cycle at 

synchronization loss, and 

controlling said resynchronization to use a same predetermined earlier part of 
said derived data source at both parties. 

47. A method according to claim 45, further comprising creating in advance 
a fixture cycle's predetermined earlier part of said derived data source for 
resynchronizing with a party that has already moved to such a cycle. 

48. A method according to claim 37, in use to provide key management for a 
symmetric cryptography algorithm. 
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